While a strong focus on preventing India’s cyber assets is required, it is a reasonable assumption to make that there will be more cyber attacks in 2017. These attacks will lead to sensitive information leakage, lack of availability of your favorite internet services and other disruptions common during a cyber attack. It is hence important to deliberate on a breach notification policy framework.

Currently, many regulators (such as RBI) and CERT-in lays down many rules to ensure companies report certain kinds of cyber incidents. However, there is no policy which requires entities to report breaches to you and I, the consumers. This means, if (say) a bank get’s hacked and that leads to leakage of consumer’s sensitive information (such as phone number, account balance), the bank is under no obligation to inform the consumers about the extent of the breach and explain what steps are being taken to prevent such incidents in the future. This means, consumers are in the dark about the status of their data and cannot take corrective steps. For instance, if a consumer knows that her credit card number is compromised, she can contact her bank, cancel the card and get a new one issued.

Here are some questions to ponder while we design such a policy:

What type of breaches should be notified?

Agencies like CERT-in require companies to report any “significant” breach, however, attacks which are “significant” may be irrelevant for a consumer. For example, does the consumer really need to be notified if an attack caused internal network outage internal to an organization? How about if only employee details were leaked? On the other hand, attacks which lead to leakage of consumer PII (personal identifiable information) certainly warrants a consumer notification. It is important to make it easy for organizations to distinguish between breaches which need to be notified and otherwise.

Who should be notified?

The policy should address the question of who needs to be notified. Should it be limited to “affected parties” (for example: users whose accounts were compromised) or should the entire public be notified? The answer to this question may differ based on industry, company size, ownership model (i.e. publicly held v/s privately held companies).

Should notifications be enforced? If yes, who should enforce it?

It is important for the policy to define if it merely “recommends” notification or enforces it. If the latter, the policy needs to define who the enforcer should be. Options include central government, state governments (such as in the USA) or industry regulators.

What should be the nature of the notification?

It will be useful to define the nature of the notification as well. While some flexibility can be provided to the breached organization, broad guidelines should be provided. The absence of such a guideline might lead to a organization notifying a breach through a small column on page 16 of a local daily.

When should the notification take place??

While it makes sense to provide breached organizations with some time to investigate the breach, it is important to have a deadline by which the organization has to notify the consumer. For example, the US state of Florida mandates that such a breach be notified within 30 days of determination of the breach.

A robust breach notification policy is a requirement as we move rapidly towards a digital economy. While some companies may resist such a policy as it makes things harder for them, it certainly serves the interest of their customers and brings in much needed transparency to the myriad world of cyber attacks.

Sandesh Anand is a GCPP9 alumni and an Information Security professional. He tweets as @JubbaOnJeans

Share this:

There is little doubt that securing our cyberspace is important. Over the last few years, the union government has acknowledged the importance and taken many initiatives to improve the security posture of our cyber infrastructure. However, the lack of a coherent message from the various agencies working on such an initiative, can lead to cyber-security becoming no more than a heavily regulated compliance burden.

Cyber Security is complex, but the regulators need to keep it simple.

The “National Cyber Security Policy” drafted in 2013 is an important document. While not yet implemented in full, various recommendations made in that documented have been implemented. One of the principal “strategies” of this policy is to create a nodal agency to co-ordinate all matters related to cyber security. The CERT-in was created to fulfill this requirement. In addition, Section 70(A) of the IT Act mandates the creation of another “nodal” agency to protect the nation’s Critical Information Infrastructure. The NCIIPC (National Critical Information Infrastructure Protection Center)f was hence created. Finally, regulators of various sectors (banking, Telecom etc.) have understood the importance of cybersecurity and have come up with their own “CyberSecurity guidelines”.

Sense the problem?

Let’s take the example of a bank, which wants to implement a cyber security program. In addition to doing all they can to protect their assets (based on their expertise), they also want to make sure all the regulatory boxes are ticked. Given they come under the definition of “Critical Infrastructure”, they will need to follow the guidelines provided by NCIIPC. In addition, RBI has multiple guidelines on how to implement their Information Security program. CERT-in also provides various guidelines on how to implement specific aspects of the bank’s Information Security program.

The story repeats when a breach occurs. NCIIPC has a 24*7 desk to handle incidents on CII (the bank will need to notify them), at the same time, banks are required to notify RBI and CERT-in when a major breach occurs (defining “major breach” itself can be an interesting exercise. Let’s reserve that for a separate post). So in addition to swiftly dealing with a breach, the bank will have to deal with the red-tape of communicating with three different agencies.

Given the complexity of the subject, it is desirable to have multiple opinions on the best way to implement cyber security. However, it is important for the regulatory framework to speak in one voice. Far too often, security is looked at as a bottleneck or a mere compliance requirement. When this happens, the focus of the industry is less about securing their ecosystem and more about making sure all the boxes are ticked. As we figure our way through the maze of cyber security, it is important for our regulatory system to get its act together. There has been talk about a “National Cyber Security Assurance Framework” being developed. Such a framework should work to unite all the current efforts instead of adding yet another layer of regulation for the industry to follow.

Sandesh Anand is a GCPP9 alumni and an Information Security professional. He tweets as @JubbaOnJeans

Share this:

This is a community blog by the public policy students, alumni, scholars and staff of the Takshashila Institution. The opinions are those of the respective authors and do not represent the position of the editors or that of the Takshashila Institution.